國外簡約大氣的PPT模板_第1頁
國外簡約大氣的PPT模板_第2頁
國外簡約大氣的PPT模板_第3頁
國外簡約大氣的PPT模板_第4頁
國外簡約大氣的PPT模板_第5頁
已閱讀5頁,還剩33頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

TheImportanceofITControlsto

Sarbanes-OxleyCompliance.

1ImportanceofITControlstoSarbanes-OxleyProvideahigh-leveloverviewofSarbanes-OxleyandtheinternalcontrolcertificationrequirementsDiscusstheimportanceofinformationtechnologyininternalcontroloverfinancialreportingDescribehowtheSarbanes-Oxleysection404rulesimpactinformationtechnologyProvideanoverviewoftheCobitITcontrolframeworkProvideanexampleofareadinessprogramroadmapSummarizetheimportanceandimpactofITcontrolstoSarbanes-OxleycomplianceToday’sObjectives2ImportanceofITControlstoSarbanes-OxleySettingtheStage3ImportanceofITControlstoSarbanes-OxleySettingtheStageWhatisinternalcontrol?Internalcontrolisbroadlydefinedasaprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesinthefollowingcategories:EffectivenessandefficiencyofoperationsReliabilityoffinancialreportingCompliancewithapplicablelawsandregulationsInternalcontrolisnowtheLawTheSarbanes-OxleyActof2002wascreatedtorestoreinvestorconfidenceinthepublicmarketsSection404oftheActrequiresmanagementtoestablishandmaintaininternalcontrol–andrequirestheindependentauditorstoevaluateCompliancedeadline:Year-endsonorafterNovember15,2004PreparingforSarbanes-OxleycomplianceisasignificantandchallengingtaskTherearemanyrequirements,includingtheidentificationofsignificantfinancialstatementaccounts,processesandsystemsthatsupportthemandthendocumentingandtestingthem4ImportanceofITControlstoSarbanes-OxleyOverviewofInternalControlCertificationRequirementsSection302CertificationOverview

CEOandCFOtomakespecificcertificationsasoftheendofeachquarterlyandannualreportingperiod,including:ReportcontainsnountruestatementsReportisfairlypresentedinallmaterialrespectsResponsibilityfordesignandmaintenanceofdisclosurecontrolsandproceduresaswellasinternalcontrolsoverfinancialreportingBecameeffectivein2002(amendedinJune2003)Section404CertificationOverview

CEOandCFOtocertifyasoftheendofeveryannualreportingperiod:TheirresponsibilityforestablishingandmaintainingeffectiveinternalcontrolsoverfinancialreportingTheirassessmentofinternalcontrols,accompaniedbytheindependentauditors’attestationreportEffectiveforannualperiodsendingafterNovember15,2004(smallbusinessandforeignfilersJuly15,2005).5ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoIT

6ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoITManagementisrequiredtoassessthedesignandeffectivenessofitsinternalcontroloverfinancialreportingandprovideanassertiontothateffectinthepublishedfinancialstatements.Thecompany’sexternalauditorsarerequiredtoexpressanopiniononmanagement’sassessmentaswelltheirownopiniononthecompany’sinternalcontrols.Auditormustperformawalkthroughofmajorclassesoftransactionsforsignificantprocessestounderstandprocessflows,andassessthedesignandeffectivenessofcontrolsincludingapplicationandITgeneralcontrols.EvaluatethedesigneffectivenessofITcontrolstodeterminewhethertheyareproperlydesignedtoachieverelevantassertions.PerformtestsoftheoperatingeffectivenessofITcontrolsthatarenecessarytoachieverelevantassertions.KeyComplianceRequirementsImpacttoITControls7ImportanceofITControlstoSarbanes-Oxley(paragraph47)

“Theauditorshouldobtainanunderstandingofthedesignofspecificcontrolsbyapplyingproceduresthatinclude…tracingtransactionsthroughtheinformationsystemrelevanttofinancialreporting”

(paragraph73)

“Mostprocessesinvolveaseriesoftaskssuchascapturinginputdata,sortingandmergingdata,makingcalculations,updatingtransactionsandmasterfiles,generatingtransactions,andsummarizinganddisplayingorreportingdata.Theprocessingproceduresrelevantfortheauditortounderstandtheflowoftransactionsgenerallyarethoseactivitiesrequiredtoinitiate,authorize,record,processandreporttransactions.”ThePCAOBrulesareclear-auditorsmustunderstandhowtransactionsflowthroughthesystem…notarounditUnderstandingtheRulesImpacttoITcont’d8ImportanceofITControlstoSarbanes-Oxley(paragraph69)

“Theauditorshouldidentifyeachsignificantprocessovereachmajorclassoftransactionsaffectingsignificantaccountsorgroupsofaccountsand…Understandtheflowoftransactions,includinghowtransactionsareinitiated,authorized,recorded,processed,andreported.Identifythepointswithintheprocessatwhichamisstatement–includingamisstatementduetofraud–relatedtoeachrelevantfinancialstatementassertioncouldarise.Identifythecontrolsthatmanagementhasimplementedtoaddressthesepotentialmisstatements.Identifythecontrolsthatmanagementhasimplementedoverthepreventionortimelydetectionofunauthorizedacquisition,use,ordispositionofthecompany'sassets.

PCAOBstatementsapplicabletoApplicationControls:UnderstandingtheRulesImpacttoITcont’d9ImportanceofITControlstoSarbanes-Oxley (paragraph40)

“Determiningwhichcontrolsshouldbetested…Generally,suchcontrolsinclude…informationtechnologygeneralcontrols,onwhichothercontrolsaredependent” (paragraph50)

“Somecontrolshaveapervasiveeffectontheachievementofmanyobjectives…forexample,informationtechnologygeneralcontrolsoverprogramdevelopment,programchanges,computeroperations,andaccesstoprogramsanddata”PCAOBstatementsapplicabletoITGeneralControls:UnderstandingtheRulesImpacttoITcont’d10ImportanceofITControlstoSarbanes-OxleyTheImportanceof

InformationTechnologyinInternalControloverFinancialReporting

11ImportanceofITControlstoSarbanes-OxleyFormostorganizations,ITispervasiveandcriticaltothefinancialreportingprocessFinancialandroutinebusinessapplicationsarecommonlyusedtoinitiate,authorize,record,processandreporttransactionsRelevantITcontrolsincludeapplicationcontrols-thosethatareembeddedinfinancialandbusinessapplicationsgeneralcomputercontrols–underlyinginfrastructurecomponentsthatsupporttheapplicationsStatementsmadebythePublicCompanyAccountingandOversightBoard(PCAOB)ontheimpactofIT(paragraph75):

“Thenatureandcharacteristicsofacompany'suseofinformationtechnologyinitsinformationsystemaffectthecompany'sinternalcontroloverfinancialreporting”TheImportanceofInformationTechnology(IT)inInternalControloverFinancialReporting12ImportanceofITControlstoSarbanes-OxleyApplicationControlsSoDDataintegrityCompletenessValidationGeneralComputingControlsInformationSecurityOperationsDatabaseImpl.&SupportNetworkSupportBusinessProcessClassesofTransactionsSalesReturnsWriteoffsSignificantAccountBalanceBalance

Sheet(A\R)Income

StatementG/LInventoryOtherA\RMgtProcessFCRPSalesProcessProcessStagesInitiateRecordProcessReportApplicationImpl.&Maint.SystemSoftwareSupportTheRoleofInformationTechnologyinInternalControloverFinancialReportingcont’d13ImportanceofITControlstoSarbanes-OxleyAccountbalance:TradeA\R,SalesClassesofTransactions:Invoices,SalesordersBusinessProcess:A\R,SalesOrderprocessesProcessStages:Initiate,record,processApplicationControls:AccesscontrolsBuiltinlimitsforcreditapprovalRestrictedaccesstopricingtableGCCControls:ProgramchangeOperationsNetwork&systemsecurityLinkAccountsandAssertionstoIT:AnExample

Customer

order

entry

AccountsReceivable

Invoicecontrols

SAP,Oracle,OtherApplicationsGeneralcomputingcontrolscoversecurityaccess,changemanagement,operations,systemsandnetworksupport,dataretention,etc.OrderProcessingOrder&suppliercontrolsSales

Sub-processCustomercontrolsITInfrastructureNetworksSystemSoftwareDatabasesandInformationSecurityApplicationcontrolscoverauthorizedchanges,segregationofduties,validity,completenessandtimelinessofreportingoffinancialinformation.14ImportanceofITControlstoSarbanes-OxleyCobitITControlFrameworkOverview15ImportanceofITControlstoSarbanes-OxleyCOBIT–AModelforGeneralComputerControlsTheITGovernanceInstitute(www.ITGI.org)hasrecentlypublished“revised”guidanceforITprofessionalsonhowtoaddressSarbanes-OxleyfromanITperspective–April2004“Sarbanes-Oxley;Theimportanceofinformation

technologyinthedesign,implementationand

sustainabilityofinternalcontrol”Thepublicationistheresultofa

jointeffortofindustryandauditors,

withleadershipfromDeloitteandothersTheITGIisarecognizedgloballeaderinITgovernance,controlandassurancewithmembersinmorethan100countries16ImportanceofITControlstoSarbanes-OxleyPCAOBdesignatesCOSOastheprescribedstandardcontrolframeworkandhasbecomethecontrolframeworkofchoiceforSOXcomplianceAll5layersmustbeconsideredwhenevaluatinginternalcontrolHowever,COSOdoesnotprovidespecificguidancearoundITcontrol.CobiTisawidelyacceptedITcontrolframework(ITGI)CobiTprovides4domainsofITcontrolCobiTcontrolsaddressthe5layersofCOSOWiththedevelopmentofthisapproach,organizationscanbeconfidentthattheyaretakinganapproachthatreflectsCOSOrequirementsCOBIT–AModelforGeneralComputerControlscont’d17ImportanceofITControlstoSarbanes-OxleyTheITGIpublicationprovidesguidancetoITprofessionalsonhowtomeettheSarbanes-OxleychallengeDetailedcontrolobjectivesareprovidedforeachCobiTdomainandmappedtotheirrespectiveCOSOcomponentOthercontrolguidelineswerereviewedandreconciledtothisapproachduringthedevelopmentprocess,includingISO17799,CommonCriteria,ITIL,andSysTrustOrganizationsshouldassesstheirrequirementsonanindividualbasisandtailortheirapproachaccordinglyCOSOComponentsCobiT

ObjectivesCOBIT–AModelforGeneralComputerControlscont’d18ImportanceofITControlstoSarbanes-OxleyTheCobiTSOAframeworkidentifiedasub-setoftheseareasforthepurposeoffocusingonSOArequirementsCompanylevel:Planning&Organizing/MonitoringCOBIT–AModelforGeneralComputerControlscont’dPlanning&OrganizationITStrategicPlanningITorganizationandrelationshipsManagementofhumanresourcesEducateandtrainusersInformationarchitectureCommunicationofmgmtaimsanddirectionAssessmentofrisksManagetheITinvestmentManageprojectsMonitoringCompliancewithexternalrequirementsManagementofqualityEnsurecontinuousservicePerformanceandcapacityMonitoringAdequacyofinternalcontrolsIndependentassuranceInternalauditActivitylevel:AcquisitionandImplementation/DeliveryandSupportProgramDevelopment(SDLC)ProgramChangesComputerOperations(scheduling,backup,problemmanagement)Accesstoprogramsanddata(applications,database,operatingsystem,network)19ImportanceofITControlstoSarbanes-OxleyTop5List–404ITControlsRequirementsSecurityApplicationandplatformbasedFocusedonapplicationsthatmayimpactfinancialsandsupportinginfrastructureRequiressecureoperatingsystems,database,network,firewallsandinfrastructureAuditorswilllookforexcessiveaccess;lackofsegregationofduties;inadequateapprovalofaccess;theywillbetestingkeyprocessestodeterminethattheyareeffectiveChangeControlNeedtoensurethatproceduresareinplacetocontrolandensureproperapprovalofchangestoproductionTechnicalcontrolsmusttightlylimitandcontroldeveloperaccesstoproductionDisasterRecoveryFocuswillbeonbasicbackupandrecoverabilityoffinancialdataITGovernanceFocuswillbeondeterminingofthereareclearpolicies,procedures,andcommunicationswithinITArethereclearsegregationofduties?Istheretheappropriate“toneatthetop”oftheITorganization?DevelopmentAndImplementationActivitiesPropercontrolsneedtobebuiltinbeforeanewsystemorsystemchangesgointheproductionenvironmentAuditorsmayevaluatenewfinancialsystems;dataconversionandtestingarecritical20ImportanceofITControlstoSarbanes-OxleyMostCommonITControlGapsToRemediateChangecontrolprocessesnotfullyinplace(especiallyindistributedorwebbasedenvironments)Securityprocedures,strategies,andprofilestructuresnotdocumentedforcriticalapplications.Organizationalsecuritypolicies,procedures,androlesandresponsibilitygaps.SecurityadministrationprocedureslackappropriatecontrolsorconsistencyInadequatecontrolstodeleteorchangeaccesswhenindividualleavesofchangesjobresponsibilities(especiallycontractors)InadequateapprovalofaccesschangesAccesslevelsnotregularlyreviewedandapprovedbymanagementExcessiveaccesstosystemsPrivilegedaccesstooperatingsystem,database,andapplicationenvironmentInadequatesegregationofdutiesApplicationdevelopersandDBAshaveaccesstoproductionInfrastructuresupportingapplicationsisnotsecure(network,operatingsystem,database)ITcontrolsnotintegratedintokeybusinessprocesses(e.g.SDLC,changecontrol,compliance,testinganddataconversionprocedures)Lackofaregularprocesstoverifythatcontrolscontinuetobeadequateandeffective(atleastquarterly)NolongtermstrategytoevaluateandaddressrisksTheareasthatwillgethithardestaresecurityandchangecontrol21ImportanceofITControlstoSarbanes-OxleyITControlReadinessRoadmap

22ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapPreparingforSOX404requiresastructuredandmeasuredapproach,otherwiseyouwillfindyourselfdoing“toomuch”or“toolittle”ThecurrentPCAOBrulesrequireauditorstoatteston“managementassessmentprocess”Assuch,thereadinessroadmapthatmanyorganizationsarefollowingdemonstratestheassessmentprocessthroughaseriesofstepsandactivitiesthataligntothePCAOBrules23ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapBusinessValueSarbanes-OxleyITCompliance1.Plan&ScopeFinancialreportingprocessSupportingsystems3.IdentifySignificantControlsApplicationcontrols-overinitiating,recording,processing&reportingITGeneralControls5.EvaluateControlDesignMitigatescontrolrisktoanacceptablelevelUnderstoodbyusers8.DocumentProcess&ResultsCoordinationwithAuditorsInternalsign-off(302,404)Independent

sign-off(404)7.Identify&RemediateDeficienciesSignificantdeficienciesMaterialweaknessRemediation6.EvaluateOperationalEffectivenessInternalauditTechnicaltestingSelfassessmentInquiry+Alllocationsandcontrols(annual)4.DocumentControlsPolicymanualsProceduresNarrativesFlowchartsConfigurationsAssessmentquestionnaires2.PerformRiskAssessmentProbability&ImpacttobusinessSize/complexity9.BuildSustainabilityInternalevaluationExternalevaluation24ImportanceofITControlstoSarbanes-OxleyAReadinessRoadmap

Plan&ScopeKeyConsiderationsIn-scopevsout-of-scopesystemsOpportunitiesforimprovementPrevention,identificationanddetectionoffraudKeyComponentsFinancialreportingprocessesInitiatingRecordingProcessingReportingClassesoftransactionsNon-routineandsystematicUnderstandthefinancialreportingprocessandidentifytheinformationsystemsandrelatedresourcesthatareused.25ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

PerformRiskAssessmentKeyComponentsITRisksQualityandIntegrityfailureSecurityfailureAvailabilityfailureRiskassessmentProbabilityoffailureImpacttothebusinessKeyConsiderationsSpecificriskareasDatavalidationDataconversionInterfacesManagementreportsComplexorcriticalcalculationsSpreadsheetsIdentifyrisksassociatedtheinformationsystemsandrelatedITresources(ie.whatcouldgowrong?)26ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

IdentifySignificantControlsKeyComponentsApplicationcontrolsEmbeddedwithinbusinessprocessesDirectlysupportfinancialassertionsGeneralcontrolsProgramdevelopmentProgramchangesProgramoperationsAccesscontrolKeyConsiderationsControlframework-CobiTTMRevised–April2004***12primarycontrolobjectivesattheprocesslevelControlenvironmentquestionnaireforentitylevelIdentifyapplicationandgeneralcontrols27ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

DocumentControlsKeyComponentsProcessdescriptionRiskassessmentControlobjectiveControlactivityTestofthecontrolConclusionsandremediationplansKeyConsiderationsIncludecompensatingcontrolsImpactonoverallSOAtestingprogramReportgapsindocumentationSufficienttosupportmanagementassertionDocumentcontrolprocessestosupportmanagement’sassessment28ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

EvaluateControlDesignKeyComponentsSufficienttodemonstrate:ControldesignedtopreventordetectmaterialerrorsConclusionthattestswereappropriatelyconductedResultsoftestsappropriatelyevaluatedKeyConsiderationsPreventativevs.detectiveAutomatedvs.manualPeople,processandtechnologyControlmaturitylevel–controlsaredefined,managed,measuredandrepeatableControlsshouldbedesignedtoreducetheriskoferrortoanacceptablelevel29ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

EvaluateOperationalEffectivenessKeyComponentsApplicationcontrolsandgeneralcontrolsReliabilityPerformedbyknowledgeablepersonPerformedconsistentlyAppropriatelymonitoredProblemsfolloweduponatimelybasisKeyConsiderationsPeriodoftimevs.pointintimeAuditevidence–inquiryaloneisnotenoughSamplesizes–mustbeadequategivenfrequencyofcontroloperationServiceorganizations–SAS70Testcontrolstoensuretheyareareoperatingasdesignedandconsistentlyoveraperiodoftime30ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

Identify&RemediateDeficienciesKeyComponentsImpacttothefinancialstatementsIsitmorethaninconsequential?LikelihoodofoccurrenceIstheremorethanaremotelikelihoodofoccurrence?CompensatingcontrolsKeyConsiderationsIsolated/manualerrorsvs.systematicerrorsPeriodofeffectiveoperationHasimpactassessmentbeenperformedtodeterminetheimportancetothefinancialreportingprocess?MayneedtorevisitcontroldesignoroperationifdeficienciesareobservedIdentifyweaknessesandremediate/retestpriortocompliancedeadline31ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

DocumentProcess&ResultsKeyComponentsOverallassessmentprocessConsiderriskassessmentresultsDiscloseallknowncontroldeficienciesandweaknessesIncludeassessmentofcontroldesigneffectivenessKeyConsiderationsShow-stoppersMaterialweaknessesSignificantdeficienciesMaintainsufficientevidencetosupportmanagementassessmentprocess32ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

BuildSustainabilityKeyComponentsContinuouseffectivenessofinternalcontrolMonitoringactivitiesChangemanagementKnowledgecaptureandsharingKeyConsiderationsContinuousimprovementprocessRules,approachesandbestpracticesareevolving–staytunedEstablisha‘CenterofExcellence’modeltosupportongoingSOAcompliance33ImportanceofITControlstoSarbanes-OxleyInSummary34ImportanceofITControlstoSarbanes-OxleyInSummaryWiththedependenceonITforreliablefinancialreportingprocesses,ITplaysakeyroleincompliancewithSection404ofSarbanes-OxleyFormanyorganizationsSarbanes-Oxleyissimplyacodificationofexistingresponsibilities.TheseITcontrolresponsibilitiesalreadyexist;however,Sarbanes-Oxleymayrequireadditionalformalizationandsignificanteffortstodocumentandtest.CompaniesshouldensureIThasanactiveroleinSarbanes-Oxleyefforts:ParticipateonthecompliancesteeringcommitteeUnderstandthefinancialreportingprocessandcommunicatethedependencyonIT(applications,infrastructure,security,etc.)EstablishIT’sroleinensuringadequatecontrolsoverthefinancialreportingprocessDocumentITrisksandcontrolsrelatedtothefinancialreportingprocessRegularlytestcontrolsandremediatesignificantweaknessesEstablishmonitoringactivitie

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權(quán)或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

最新文檔

評論

0/150

提交評論